xref: /freebsd/contrib/wpa/src/eap_peer/eap_config.h (revision 8ddb146abcdf061be9f2c0db7e391697dafad85c)
1 /*
2  * EAP peer configuration data
3  * Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #ifndef EAP_CONFIG_H
10 #define EAP_CONFIG_H
11 
12 /**
13  * struct eap_peer_cert_config - EAP peer certificate configuration/credential
14  */
15 struct eap_peer_cert_config {
16 	/**
17 	 * ca_cert - File path to CA certificate file (PEM/DER)
18 	 *
19 	 * This file can have one or more trusted CA certificates. If ca_cert
20 	 * and ca_path are not included, server certificate will not be
21 	 * verified. This is insecure and a trusted CA certificate should
22 	 * always be configured when using EAP-TLS/TTLS/PEAP. Full path to the
23 	 * file should be used since working directory may change when
24 	 * wpa_supplicant is run in the background.
25 	 *
26 	 * Alternatively, a named configuration blob can be used by setting
27 	 * this to blob://blob_name.
28 	 *
29 	 * Alternatively, this can be used to only perform matching of the
30 	 * server certificate (SHA-256 hash of the DER encoded X.509
31 	 * certificate). In this case, the possible CA certificates in the
32 	 * server certificate chain are ignored and only the server certificate
33 	 * is verified. This is configured with the following format:
34 	 * hash:://server/sha256/cert_hash_in_hex
35 	 * For example: "hash://server/sha256/
36 	 * 5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a"
37 	 *
38 	 * On Windows, trusted CA certificates can be loaded from the system
39 	 * certificate store by setting this to cert_store://name, e.g.,
40 	 * ca_cert="cert_store://CA" or ca_cert="cert_store://ROOT".
41 	 * Note that when running wpa_supplicant as an application, the user
42 	 * certificate store (My user account) is used, whereas computer store
43 	 * (Computer account) is used when running wpasvc as a service.
44 	 */
45 	char *ca_cert;
46 
47 	/**
48 	 * ca_path - Directory path for CA certificate files (PEM)
49 	 *
50 	 * This path may contain multiple CA certificates in OpenSSL format.
51 	 * Common use for this is to point to system trusted CA list which is
52 	 * often installed into directory like /etc/ssl/certs. If configured,
53 	 * these certificates are added to the list of trusted CAs. ca_cert
54 	 * may also be included in that case, but it is not required.
55 	 */
56 	char *ca_path;
57 
58 	/**
59 	 * client_cert - File path to client certificate file (PEM/DER)
60 	 *
61 	 * This field is used with EAP method that use TLS authentication.
62 	 * Usually, this is only configured for EAP-TLS, even though this could
63 	 * in theory be used with EAP-TTLS and EAP-PEAP, too. Full path to the
64 	 * file should be used since working directory may change when
65 	 * wpa_supplicant is run in the background.
66 	 *
67 	 * Alternatively, a named configuration blob can be used by setting
68 	 * this to blob://blob_name.
69 	 */
70 	char *client_cert;
71 
72 	/**
73 	 * private_key - File path to client private key file (PEM/DER/PFX)
74 	 *
75 	 * When PKCS#12/PFX file (.p12/.pfx) is used, client_cert should be
76 	 * commented out. Both the private key and certificate will be read
77 	 * from the PKCS#12 file in this case. Full path to the file should be
78 	 * used since working directory may change when wpa_supplicant is run
79 	 * in the background.
80 	 *
81 	 * Windows certificate store can be used by leaving client_cert out and
82 	 * configuring private_key in one of the following formats:
83 	 *
84 	 * cert://substring_to_match
85 	 *
86 	 * hash://certificate_thumbprint_in_hex
87 	 *
88 	 * For example: private_key="hash://63093aa9c47f56ae88334c7b65a4"
89 	 *
90 	 * Note that when running wpa_supplicant as an application, the user
91 	 * certificate store (My user account) is used, whereas computer store
92 	 * (Computer account) is used when running wpasvc as a service.
93 	 *
94 	 * Alternatively, a named configuration blob can be used by setting
95 	 * this to blob://blob_name.
96 	 */
97 	char *private_key;
98 
99 	/**
100 	 * private_key_passwd - Password for private key file
101 	 *
102 	 * If left out, this will be asked through control interface.
103 	 */
104 	char *private_key_passwd;
105 
106 	/**
107 	 * dh_file - File path to DH/DSA parameters file (in PEM format)
108 	 *
109 	 * This is an optional configuration file for setting parameters for an
110 	 * ephemeral DH key exchange. In most cases, the default RSA
111 	 * authentication does not use this configuration. However, it is
112 	 * possible setup RSA to use ephemeral DH key exchange. In addition,
113 	 * ciphers with DSA keys always use ephemeral DH keys. This can be used
114 	 * to achieve forward secrecy. If the file is in DSA parameters format,
115 	 * it will be automatically converted into DH params. Full path to the
116 	 * file should be used since working directory may change when
117 	 * wpa_supplicant is run in the background.
118 	 *
119 	 * Alternatively, a named configuration blob can be used by setting
120 	 * this to blob://blob_name.
121 	 */
122 	char *dh_file;
123 
124 	/**
125 	 * subject_match - Constraint for server certificate subject
126 	 *
127 	 * This substring is matched against the subject of the authentication
128 	 * server certificate. If this string is set, the server certificate is
129 	 * only accepted if it contains this string in the subject. The subject
130 	 * string is in following format:
131 	 *
132 	 * /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@n.example.com
133 	 *
134 	 * Note: Since this is a substring match, this cannot be used securely
135 	 * to do a suffix match against a possible domain name in the CN entry.
136 	 * For such a use case, domain_suffix_match should be used instead.
137 	 */
138 	char *subject_match;
139 
140 	/**
141 	 * check_cert_subject - Constraint for server certificate subject fields
142 	 *
143 	 * If check_cert_subject is set, the value of every field will be
144 	 * checked against the DN of the subject in the authentication server
145 	 * certificate. If the values do not match, the certificate verification
146 	 * will fail, rejecting the server. This option allows wpa_supplicant to
147 	 * match every individual field in the right order against the DN of the
148 	 * subject in the server certificate.
149 	 *
150 	 * For example, check_cert_subject=C=US/O=XX/OU=ABC/OU=XYZ/CN=1234 will
151 	 * check every individual DN field of the subject in the server
152 	 * certificate. If OU=XYZ comes first in terms of the order in the
153 	 * server certificate (DN field of server certificate
154 	 * C=US/O=XX/OU=XYZ/OU=ABC/CN=1234), wpa_supplicant will reject the
155 	 * server because the order of 'OU' is not matching the specified string
156 	 * in check_cert_subject.
157 	 *
158 	 * This option also allows '*' as a wildcard. This option has some
159 	 * limitation.
160 	 * It can only be used as per the following example.
161 	 *
162 	 * For example, check_cert_subject=C=US/O=XX/OU=Production* and we have
163 	 * two servers and DN of the subject in the first server certificate is
164 	 * (C=US/O=XX/OU=Production Unit) and DN of the subject in the second
165 	 * server is (C=US/O=XX/OU=Production Factory). In this case,
166 	 * wpa_supplicant will allow both servers because the value of 'OU'
167 	 * field in both server certificates matches 'OU' value in
168 	 * 'check_cert_subject' up to 'wildcard'.
169 	 *
170 	 * (Allow all servers, e.g., check_cert_subject=*)
171 	 */
172 	char *check_cert_subject;
173 
174 	/**
175 	 * altsubject_match - Constraint for server certificate alt. subject
176 	 *
177 	 * Semicolon separated string of entries to be matched against the
178 	 * alternative subject name of the authentication server certificate.
179 	 * If this string is set, the server certificate is only accepted if it
180 	 * contains one of the entries in an alternative subject name
181 	 * extension.
182 	 *
183 	 * altSubjectName string is in following format: TYPE:VALUE
184 	 *
185 	 * Example: EMAIL:server@example.com
186 	 * Example: DNS:server.example.com;DNS:server2.example.com
187 	 *
188 	 * Following types are supported: EMAIL, DNS, URI
189 	 */
190 	char *altsubject_match;
191 
192 	/**
193 	 * domain_suffix_match - Constraint for server domain name
194 	 *
195 	 * If set, this semicolon deliminated list of FQDNs is used as suffix
196 	 * match requirements for the server certificate in SubjectAltName
197 	 * dNSName element(s). If a matching dNSName is found against any of the
198 	 * specified values, this constraint is met. If no dNSName values are
199 	 * present, this constraint is matched against SubjectName CN using same
200 	 * suffix match comparison. Suffix match here means that the host/domain
201 	 * name is compared case-insentively one label at a time starting from
202 	 * the top-level domain and all the labels in domain_suffix_match shall
203 	 * be included in the certificate. The certificate may include
204 	 * additional sub-level labels in addition to the required labels.
205 	 *
206 	 * For example, domain_suffix_match=example.com would match
207 	 * test.example.com but would not match test-example.com. Multiple
208 	 * match options can be specified in following manner:
209 	 * example.org;example.com.
210 	 */
211 	char *domain_suffix_match;
212 
213 	/**
214 	 * domain_match - Constraint for server domain name
215 	 *
216 	 * If set, this FQDN is used as a full match requirement for the
217 	 * server certificate in SubjectAltName dNSName element(s). If a
218 	 * matching dNSName is found, this constraint is met. If no dNSName
219 	 * values are present, this constraint is matched against SubjectName CN
220 	 * using same full match comparison. This behavior is similar to
221 	 * domain_suffix_match, but has the requirement of a full match, i.e.,
222 	 * no subdomains or wildcard matches are allowed. Case-insensitive
223 	 * comparison is used, so "Example.com" matches "example.com", but would
224 	 * not match "test.Example.com".
225 	 *
226 	 * More than one match string can be provided by using semicolons to
227 	 * separate the strings (e.g., example.org;example.com). When multiple
228 	 * strings are specified, a match with any one of the values is
229 	 * considered a sufficient match for the certificate, i.e., the
230 	 * conditions are ORed together.
231 	 */
232 	char *domain_match;
233 
234 	/**
235 	 * pin - PIN for USIM, GSM SIM, and smartcards
236 	 *
237 	 * This field is used to configure PIN for SIM and smartcards for
238 	 * EAP-SIM and EAP-AKA. In addition, this is used with EAP-TLS if a
239 	 * smartcard is used for private key operations.
240 	 *
241 	 * If left out, this will be asked through control interface.
242 	 */
243 	char *pin;
244 
245 	/**
246 	 * engine - Enable OpenSSL engine (e.g., for smartcard access)
247 	 *
248 	 * This is used if private key operations for EAP-TLS are performed
249 	 * using a smartcard.
250 	 */
251 	int engine;
252 
253 	/**
254 	 * engine_id - Engine ID for OpenSSL engine
255 	 *
256 	 * "opensc" to select OpenSC engine or "pkcs11" to select PKCS#11
257 	 * engine.
258 	 *
259 	 * This is used if private key operations for EAP-TLS are performed
260 	 * using a smartcard.
261 	 */
262 	char *engine_id;
263 
264 
265 	/**
266 	 * key_id - Key ID for OpenSSL engine
267 	 *
268 	 * This is used if private key operations for EAP-TLS are performed
269 	 * using a smartcard.
270 	 */
271 	char *key_id;
272 
273 	/**
274 	 * cert_id - Cert ID for OpenSSL engine
275 	 *
276 	 * This is used if the certificate operations for EAP-TLS are performed
277 	 * using a smartcard.
278 	 */
279 	char *cert_id;
280 
281 	/**
282 	 * ca_cert_id - CA Cert ID for OpenSSL engine
283 	 *
284 	 * This is used if the CA certificate for EAP-TLS is on a smartcard.
285 	 */
286 	char *ca_cert_id;
287 
288 	/**
289 	 * ocsp - Whether to use/require OCSP to check server certificate
290 	 *
291 	 * 0 = do not use OCSP stapling (TLS certificate status extension)
292 	 * 1 = try to use OCSP stapling, but not require response
293 	 * 2 = require valid OCSP stapling response
294 	 */
295 	int ocsp;
296 };
297 
298 /**
299  * struct eap_peer_config - EAP peer configuration/credentials
300  */
301 struct eap_peer_config {
302 	/**
303 	 * identity - EAP Identity
304 	 *
305 	 * This field is used to set the real user identity or NAI (for
306 	 * EAP-PSK/PAX/SAKE/GPSK).
307 	 */
308 	u8 *identity;
309 
310 	/**
311 	 * identity_len - EAP Identity length
312 	 */
313 	size_t identity_len;
314 
315 	/**
316 	 * anonymous_identity -  Anonymous EAP Identity
317 	 *
318 	 * This field is used for unencrypted use with EAP types that support
319 	 * different tunnelled identity, e.g., EAP-TTLS, in order to reveal the
320 	 * real identity (identity field) only to the authentication server.
321 	 *
322 	 * If not set, the identity field will be used for both unencrypted and
323 	 * protected fields.
324 	 *
325 	 * This field can also be used with EAP-SIM/AKA/AKA' to store the
326 	 * pseudonym identity.
327 	 */
328 	u8 *anonymous_identity;
329 
330 	/**
331 	 * anonymous_identity_len - Length of anonymous_identity
332 	 */
333 	size_t anonymous_identity_len;
334 
335 	u8 *imsi_identity;
336 	size_t imsi_identity_len;
337 
338 	/**
339 	 * machine_identity - EAP Identity for machine credential
340 	 *
341 	 * This field is used to set the machine identity or NAI for cases where
342 	 * and explicit machine credential (instead of or in addition to a user
343 	 * credential (from %identity) is needed.
344 	 */
345 	u8 *machine_identity;
346 
347 	/**
348 	 * machine_identity_len - EAP Identity length for machine credential
349 	 */
350 	size_t machine_identity_len;
351 
352 	/**
353 	 * password - Password string for EAP
354 	 *
355 	 * This field can include either the plaintext password (default
356 	 * option) or a NtPasswordHash (16-byte MD4 hash of the unicode
357 	 * presentation of the password) if flags field has
358 	 * EAP_CONFIG_FLAGS_PASSWORD_NTHASH bit set to 1. NtPasswordHash can
359 	 * only be used with authentication mechanism that use this hash as the
360 	 * starting point for operation: MSCHAP and MSCHAPv2 (EAP-MSCHAPv2,
361 	 * EAP-TTLS/MSCHAPv2, EAP-TTLS/MSCHAP, LEAP).
362 	 *
363 	 * In addition, this field is used to configure a pre-shared key for
364 	 * EAP-PSK/PAX/SAKE/GPSK. The length of the PSK must be 16 for EAP-PSK
365 	 * and EAP-PAX and 32 for EAP-SAKE. EAP-GPSK can use a variable length
366 	 * PSK.
367 	 */
368 	u8 *password;
369 
370 	/**
371 	 * password_len - Length of password field
372 	 */
373 	size_t password_len;
374 
375 	/**
376 	 * machine_password - Password string for EAP machine credential
377 	 *
378 	 * This field is used when machine credential based on username/password
379 	 * is needed instead of a user credential (from %password). See
380 	 * %password for more details on the format.
381 	 */
382 	u8 *machine_password;
383 
384 	/**
385 	 * machine_password_len - Length of machine credential password field
386 	 */
387 	size_t machine_password_len;
388 
389 	/**
390 	 * cert - Certificate parameters for Phase 1
391 	 */
392 	struct eap_peer_cert_config cert;
393 
394 	/**
395 	 * phase2_cert - Certificate parameters for Phase 2
396 	 *
397 	 * This is like cert, but used for Phase 2 (inside
398 	 * EAP-TTLS/PEAP/FAST/TEAP tunnel) authentication.
399 	 */
400 	struct eap_peer_cert_config phase2_cert;
401 
402 	/**
403 	 * machine_cert - Certificate parameters for Phase 2 machine credential
404 	 *
405 	 * This is like cert, but used for Phase 2 (inside EAP-TEAP tunnel)
406 	 * authentication with machine credentials (while phase2_cert is used
407 	 * for user credentials).
408 	 */
409 	struct eap_peer_cert_config machine_cert;
410 
411 	/**
412 	 * eap_methods - Allowed EAP methods
413 	 *
414 	 * (vendor=EAP_VENDOR_IETF,method=EAP_TYPE_NONE) terminated list of
415 	 * allowed EAP methods or %NULL if all methods are accepted.
416 	 */
417 	struct eap_method_type *eap_methods;
418 
419 	/**
420 	 * phase1 - Phase 1 (outer authentication) parameters
421 	 *
422 	 * String with field-value pairs, e.g., "peapver=0" or
423 	 * "peapver=1 peaplabel=1".
424 	 *
425 	 * 'peapver' can be used to force which PEAP version (0 or 1) is used.
426 	 *
427 	 * 'peaplabel=1' can be used to force new label, "client PEAP
428 	 * encryption",	to be used during key derivation when PEAPv1 or newer.
429 	 *
430 	 * Most existing PEAPv1 implementation seem to be using the old label,
431 	 * "client EAP encryption", and wpa_supplicant is now using that as the
432 	 * default value.
433 	 *
434 	 * Some servers, e.g., Radiator, may require peaplabel=1 configuration
435 	 * to interoperate with PEAPv1; see eap_testing.txt for more details.
436 	 *
437 	 * 'peap_outer_success=0' can be used to terminate PEAP authentication
438 	 * on tunneled EAP-Success. This is required with some RADIUS servers
439 	 * that implement draft-josefsson-pppext-eap-tls-eap-05.txt (e.g.,
440 	 * Lucent NavisRadius v4.4.0 with PEAP in "IETF Draft 5" mode).
441 	 *
442 	 * include_tls_length=1 can be used to force wpa_supplicant to include
443 	 * TLS Message Length field in all TLS messages even if they are not
444 	 * fragmented.
445 	 *
446 	 * sim_min_num_chal=3 can be used to configure EAP-SIM to require three
447 	 * challenges (by default, it accepts 2 or 3).
448 	 *
449 	 * result_ind=1 can be used to enable EAP-SIM and EAP-AKA to use
450 	 * protected result indication.
451 	 *
452 	 * fast_provisioning option can be used to enable in-line provisioning
453 	 * of EAP-FAST credentials (PAC):
454 	 * 0 = disabled,
455 	 * 1 = allow unauthenticated provisioning,
456 	 * 2 = allow authenticated provisioning,
457 	 * 3 = allow both unauthenticated and authenticated provisioning
458 	 *
459 	 * fast_max_pac_list_len=num option can be used to set the maximum
460 	 * number of PAC entries to store in a PAC list (default: 10).
461 	 *
462 	 * fast_pac_format=binary option can be used to select binary format
463 	 * for storing PAC entries in order to save some space (the default
464 	 * text format uses about 2.5 times the size of minimal binary format).
465 	 *
466 	 * crypto_binding option can be used to control PEAPv0 cryptobinding
467 	 * behavior:
468 	 * 0 = do not use cryptobinding (default)
469 	 * 1 = use cryptobinding if server supports it
470 	 * 2 = require cryptobinding
471 	 *
472 	 * EAP-WSC (WPS) uses following options: pin=Device_Password and
473 	 * uuid=Device_UUID
474 	 *
475 	 * For wired IEEE 802.1X authentication, "allow_canned_success=1" can be
476 	 * used to configure a mode that allows EAP-Success (and EAP-Failure)
477 	 * without going through authentication step. Some switches use such
478 	 * sequence when forcing the port to be authorized/unauthorized or as a
479 	 * fallback option if the authentication server is unreachable. By
480 	 * default, wpa_supplicant discards such frames to protect against
481 	 * potential attacks by rogue devices, but this option can be used to
482 	 * disable that protection for cases where the server/authenticator does
483 	 * not need to be authenticated.
484 	 */
485 	char *phase1;
486 
487 	/**
488 	 * phase2 - Phase2 (inner authentication with TLS tunnel) parameters
489 	 *
490 	 * String with field-value pairs, e.g., "auth=MSCHAPV2" for EAP-PEAP or
491 	 * "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS. "mschapv2_retry=0" can
492 	 * be used to disable MSCHAPv2 password retry in authentication failure
493 	 * cases.
494 	 */
495 	char *phase2;
496 
497 	/**
498 	 * machine_phase2 - Phase2 parameters for machine credentials
499 	 *
500 	 * See phase2 for more details.
501 	 */
502 	char *machine_phase2;
503 
504 	/**
505 	 * pcsc - Parameters for PC/SC smartcard interface for USIM and GSM SIM
506 	 *
507 	 * This field is used to configure PC/SC smartcard interface.
508 	 * Currently, the only configuration is whether this field is %NULL (do
509 	 * not use PC/SC) or non-NULL (e.g., "") to enable PC/SC.
510 	 *
511 	 * This field is used for EAP-SIM and EAP-AKA.
512 	 */
513 	char *pcsc;
514 
515 	/**
516 	 * otp - One-time-password
517 	 *
518 	 * This field should not be set in configuration step. It is only used
519 	 * internally when OTP is entered through the control interface.
520 	 */
521 	u8 *otp;
522 
523 	/**
524 	 * otp_len - Length of the otp field
525 	 */
526 	size_t otp_len;
527 
528 	/**
529 	 * pending_req_identity - Whether there is a pending identity request
530 	 *
531 	 * This field should not be set in configuration step. It is only used
532 	 * internally when control interface is used to request needed
533 	 * information.
534 	 */
535 	int pending_req_identity;
536 
537 	/**
538 	 * pending_req_password - Whether there is a pending password request
539 	 *
540 	 * This field should not be set in configuration step. It is only used
541 	 * internally when control interface is used to request needed
542 	 * information.
543 	 */
544 	int pending_req_password;
545 
546 	/**
547 	 * pending_req_pin - Whether there is a pending PIN request
548 	 *
549 	 * This field should not be set in configuration step. It is only used
550 	 * internally when control interface is used to request needed
551 	 * information.
552 	 */
553 	int pending_req_pin;
554 
555 	/**
556 	 * pending_req_new_password - Pending password update request
557 	 *
558 	 * This field should not be set in configuration step. It is only used
559 	 * internally when control interface is used to request needed
560 	 * information.
561 	 */
562 	int pending_req_new_password;
563 
564 	/**
565 	 * pending_req_passphrase - Pending passphrase request
566 	 *
567 	 * This field should not be set in configuration step. It is only used
568 	 * internally when control interface is used to request needed
569 	 * information.
570 	 */
571 	int pending_req_passphrase;
572 
573 	/**
574 	 * pending_req_sim - Pending SIM request
575 	 *
576 	 * This field should not be set in configuration step. It is only used
577 	 * internally when control interface is used to request needed
578 	 * information.
579 	 */
580 	int pending_req_sim;
581 
582 	/**
583 	 * pending_req_otp - Whether there is a pending OTP request
584 	 *
585 	 * This field should not be set in configuration step. It is only used
586 	 * internally when control interface is used to request needed
587 	 * information.
588 	 */
589 	char *pending_req_otp;
590 
591 	/**
592 	 * pending_req_otp_len - Length of the pending OTP request
593 	 */
594 	size_t pending_req_otp_len;
595 
596 	/**
597 	 * pac_file - File path or blob name for the PAC entries (EAP-FAST)
598 	 *
599 	 * wpa_supplicant will need to be able to create this file and write
600 	 * updates to it when PAC is being provisioned or refreshed. Full path
601 	 * to the file should be used since working directory may change when
602 	 * wpa_supplicant is run in the background.
603 	 * Alternatively, a named configuration blob can be used by setting
604 	 * this to blob://blob_name.
605 	 */
606 	char *pac_file;
607 
608 	/**
609 	 * mschapv2_retry - MSCHAPv2 retry in progress
610 	 *
611 	 * This field is used internally by EAP-MSCHAPv2 and should not be set
612 	 * as part of configuration.
613 	 */
614 	int mschapv2_retry;
615 
616 	/**
617 	 * new_password - New password for password update
618 	 *
619 	 * This field is used during MSCHAPv2 password update. This is normally
620 	 * requested from the user through the control interface and not set
621 	 * from configuration.
622 	 */
623 	u8 *new_password;
624 
625 	/**
626 	 * new_password_len - Length of new_password field
627 	 */
628 	size_t new_password_len;
629 
630 	/**
631 	 * fragment_size - Maximum EAP fragment size in bytes (default 1398)
632 	 *
633 	 * This value limits the fragment size for EAP methods that support
634 	 * fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
635 	 * small enough to make the EAP messages fit in MTU of the network
636 	 * interface used for EAPOL. The default value is suitable for most
637 	 * cases.
638 	 */
639 	int fragment_size;
640 
641 #define EAP_CONFIG_FLAGS_PASSWORD_NTHASH BIT(0)
642 #define EAP_CONFIG_FLAGS_EXT_PASSWORD BIT(1)
643 #define EAP_CONFIG_FLAGS_MACHINE_PASSWORD_NTHASH BIT(2)
644 #define EAP_CONFIG_FLAGS_EXT_MACHINE_PASSWORD BIT(3)
645 	/**
646 	 * flags - Network configuration flags (bitfield)
647 	 *
648 	 * This variable is used for internal flags to describe further details
649 	 * for the network parameters.
650 	 * bit 0 = password is represented as a 16-byte NtPasswordHash value
651 	 *         instead of plaintext password
652 	 * bit 1 = password is stored in external storage; the value in the
653 	 *         password field is the name of that external entry
654 	 * bit 2 = machine password is represented as a 16-byte NtPasswordHash
655 	 *         value instead of plaintext password
656 	 * bit 3 = machine password is stored in external storage; the value in
657 	 *         the password field is the name of that external entry
658 	 */
659 	u32 flags;
660 
661 	/**
662 	 * external_sim_resp - Response from external SIM processing
663 	 *
664 	 * This field should not be set in configuration step. It is only used
665 	 * internally when control interface is used to request external
666 	 * SIM/USIM processing.
667 	 */
668 	char *external_sim_resp;
669 
670 	/**
671 	 * sim_num - User selected SIM identifier
672 	 *
673 	 * This variable is used for identifying which SIM is used if the system
674 	 * has more than one.
675 	 */
676 	int sim_num;
677 
678 	/**
679 	 * openssl_ciphers - OpenSSL cipher string
680 	 *
681 	 * This is an OpenSSL specific configuration option for configuring the
682 	 * ciphers for this connection. If not set, the default cipher suite
683 	 * list is used.
684 	 */
685 	char *openssl_ciphers;
686 
687 	/**
688 	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
689 	 */
690 	int erp;
691 
692 	/**
693 	 * pending_ext_cert_check - External server certificate check status
694 	 *
695 	 * This field should not be set in configuration step. It is only used
696 	 * internally when control interface is used to request external
697 	 * validation of server certificate chain.
698 	 */
699 	enum {
700 		NO_CHECK = 0,
701 		PENDING_CHECK,
702 		EXT_CERT_CHECK_GOOD,
703 		EXT_CERT_CHECK_BAD,
704 	} pending_ext_cert_check;
705 
706 	int teap_anon_dh;
707 };
708 
709 
710 /**
711  * struct wpa_config_blob - Named configuration blob
712  *
713  * This data structure is used to provide storage for binary objects to store
714  * abstract information like certificates and private keys inlined with the
715  * configuration data.
716  */
717 struct wpa_config_blob {
718 	/**
719 	 * name - Blob name
720 	 */
721 	char *name;
722 
723 	/**
724 	 * data - Pointer to binary data
725 	 */
726 	u8 *data;
727 
728 	/**
729 	 * len - Length of binary data
730 	 */
731 	size_t len;
732 
733 	/**
734 	 * next - Pointer to next blob in the configuration
735 	 */
736 	struct wpa_config_blob *next;
737 };
738 
739 #endif /* EAP_CONFIG_H */
740